The use cases are:
1. multiple organizations, each with their own LDAP wish to allow
their personnel into a common site -- each has its own, separately
administered LDAP
2. a single organization has a read-only internal LDAP and a writable
LDAP for external guests -- again for a common site
In both cases there are multiple LDAP directories which have no overlap, i.e. if the first LDAP does not contain the uid, then the second must be tried -- this is quite different then the multiple fail-over LDAP URLs allowed in auth_ldap and Apache 2.0's mod_auth_ldap.
What it sounds like to me is that you are requesting a function that would be able to handle LDAP authentication using multiple, separate LDAP sources with distinct schemata.
Essentially, if the user is not found in the mapped field of primaryServer, then check the mapped user field of secondaryServer and then tertiaryServer... in an environment where the mapped field may be different for each of these servers. E.g. searching uid on primaryServer, username on secondaryServer, and SystemUser on tertiaryServer?
Am I understanding correctly?
To my knowledge, no there is no such feature implemented on availible apache 2-based ldap authentication projects. You may want to suggest it as a feature request to one or more of the more popular ldap-related authentication projects. Understand, though, the overhead that such a system would probably imply on an authentication request when the credential is not located in the first source.
-----------------
Wayne S. Frazee
"Any sufficiently developed bug is indistinguishable from a feature."
